paypoint implementation guide 5.02.01 / 5.06.06 / 5.06.09 5.08.09 / 5.09.06 / 5.10.04
PCI PA-DSS Implementation guide 1. Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Verifone Norway AS does not possess the authority to state that a merchant may be deemed PCI Compliant if information contained within this document is followed. Each merchant is responsible for creating a PCI-compliant environment. The purpose of this guide is to provide the information needed during installation and operation of the paypoint application in a manner that will support a merchant s PCI DSS compliance efforts. 1.1 Intended audience and document use The PA-DSS Implementation guide must be read and understood by all operating the terminal, including resellers, ECR integrators, support organizations and the merchant controlling the terminal. The guide should be used by assessors conducting onsite reviews and for merchants who must validate their compliance with the PCI DSS requirements. This guide and the training material are reviewed annually and updated if needed due to changes in paypoint or the PCI PA-DSS requirements. The latest version of this document are distributed with every new release, it can also be downloaded from: http://www.verifone.no/betalingsterminaler/ 1.2 PCI DSS The Payment Card Industry Data Security Standard (PCI-DSS) defines a set of requirements for the configuration, operation, and security of payment card transactions in your business. If you use paypoint in your business to store, process, or transmit payment card information, this standard and this guide apply to you. Failure to comply with these standards and requirements can result in significant fines if a security breach should occur. 1.3 PCI PA-DSS The Payment Card Industry has also set the requirements for software applications that store, process or transmit cardholder data. These requirements are defined by the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS). In order to facilitate for you to get a PCI DSS assessment the paypoint software application has been reviewed by a QSA (Qualified Security Assessor) to comply with the PCI PA-DSS requirements. 2 Paypoint and PCI PA-DSS Note: This section refers to payment terminals with paypoint software versions listed on the PCI web site: List of Validated Payment Applications. If you cannot find the version running on your terminal on that list please contact Point Support in order to upgrade your terminal. 2.1 PA-DSS Compliance This section describes why and how paypoint can be implemented in a way that should facilitate and support PCI DSS compliance if installed in a PCI DSS compliant environment. All encryption operations are handled automatically by the terminal and it is not configurable and can not be changed by any user. Encryption can not be turned off for transmission nor storage. 2.2 Sensitive data and cardholder data Sensitive data: full magstripe data, CVC2, CVV2, PIN and PIN block Cardholder data: full PAN (card number), name, service code, and expiry date 2.2.1 Transmission Paypoint encrypts sensitive data and card holder data using triple DES with a unique key per transaction. On top of that, the entire message sent to and from paypoint must be protected using either paypoint VPN or a VPN service provided by your network provider 2
NETS will only allow connections to their production systems from an approved VPN connection. This means that you either must use a NETS access VPN service from your network provider or activate paypoint VPN in the terminal. If you are using a wireless network, WLAN, you must set up your wireless network to use WPA/WPA2 encryption. The WLAN encryption is applied on top of the triple DES encryption and paypoint VPN implemented in the paypoint terminal. Paypoint will not allow you to use WEP (WEP is not allowed to be used for POS terminals after June 30 2010). 2.2.2 Storage According to PCI DSS storage of sensitive authentication data after authorization is not allowed. Storage of cardholder data will require protection. Your paypoint terminal will not store any sensitive authentication data at any time. payment application handles all deleting and re-encryption of cardholder data the merchant does not need to take any action to delete cardholder data. 2.2.3 Receipts, display and ECR Your paypoint terminal will not disclose any cardholder data in the display, on the receipt or to the ECR, only the last 4 digits of the PAN are available on the receipts. The paypoint terminal will not accept any cardholder data from any external device. 2.3 Special functionality and configuration that will require extra protection If you have configured your terminal with the settings or use some of the functionality listed below you are handling carddata, which should be handled as defined in the PCI DSS requirements. These include secure storage with restricted access and deletion when not needed anymore. Cardholder data should not be stored longer than required for your business needs. All cryptographic material and keys are automatically rendered irretrievable when not needed anymore. This is absolutely necessary for PCI-DSS compliance. Your paypoint terminal will not store any PANs without protection. The PAN is either encrypted, masked or truncated when stored and is deleted when not needed. For offline transactions and pre-authorizations temporarily stored in the terminal the PAN, service code and expiry date are stored encrypted. After online processing these data are deleted. Encrypted cardholder data exceeding the retention period is automatically deleted by paypoint. Historical data exceeding the retention period is automatic re-encrypted with new keys by paypoint. Cardholder data are only stored inside the terminal and since the 3 2.3.1 Manual entry In case you need to enter card numbers manually or if you have to do voice referrals you must never keep written copies or otherwise store copies of the CVC/CVV2. We also recommend not to keep written copies of the cardholder data (PAN and expiration date). 2.3.2 bank axept offline For bank axept cards, the Norwegian debit card, BSK mandates that the PAN is printed on the merchant copy of offline backup solution receipts. It is important that these receipts are handled in a secure way and not stored longer than necessary. Bank axept cards are technically out of scope of PCI-DSS, but BSK require that such receipts are handled according to the PCI DSS requirements.
2.4 Paypoint can be installed in a PCI DSS compliant environment Paypoint facilitate and support installation in a PCI-DSS compliant environment because: - When upgraded to a PCI PA-DSS compliant version of paypoint all previously stored historical sensitive data are automatically deleted securely and all cardholder data are either deleted or encrypted according to the PA-DSS requirements - A paypoint terminal can operate behind a firewall. Please contact Verifone or read paypoint installation manual for the relevant info. - The paypoint terminals can not be accessed remotely - Paypoint can not be used for e-mails or internet activities - The software of your paypoint terminal is automatically updated when necessary. All software downloaded to the terminal is controlled by Point and paypoint has mechanisms to ensure that software can be downloaded from trusted sources only. These mechanisms are based on digital signatures. This is absolutely necessary for PCI-DSS compliance. 3 Merchant environment and responsibilities 3.1 General requirements for PCI DSS compliance In order for your organization to comply with PCI DSS requirements it is absolutely necessary: For manually entered PANs and for voice referrals it is never allowed to write down or otherwise store PAN, expiration date or CVC/CVV2. Implement and maintain a security policy that addresses information security for employees and contractors including the list below: o If you are using a wireless network, WLAN, you must make sure that: Your wireless network uses WPA/WPA2 encryption for authentication and transmission. The firmware on all wireless devices must be updated to support strong encryption for authentication and transmission. Encryption keys are changed (as described under wlan setup): from vendor defaults at installation anytime someone with knowledge of the keys leaves the company or changes position at least annually Default SNMP community strings on wireless devices are changed Other security related vendor defaults like logins, password and SSID must be changed. o If you are using wireless network within your business you must make sure that firewalls are installed that deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the environment of the paypoint terminal. o Cardholder data must never be stored on servers connected to the internet or sent by open communication links like e-mail or fax. 4
3.2 PCI DSS recommendations In order for your organisation to comply with PCI DSS requirements it is recommended to: Any applicable terminal management system used as part of an authenticated remote software distribution framework for the PED should be evaluated by a QSA as part of any PCI DSS assessment. Make sure that historical data (magnetic stripe data, cardholder data and CVV2s) are removed from all storage devices used in your system, ECRs, PCs, servers etc. For further details please refer to your vendor Implement and maintain a security policy that addresses information security for employees and contractors including: o Install and maintain a firewall to block any unauthorized traffic o Change any default passwords used to access your system and use secure passwords o You should keep your system up to date with anti-virus software, software updates, operating system updates, and any other security patches. o Assign individual user logins to all users o Review your system logs periodically to see which users are accessing your systems. o You should test your network connections (including wireless networks) periodically for vulnerabilities, and make use of network vulnerability scans. If you make any significant changes to your network, you should also test for vulnerabilities o Even in trouble shooting cases sensitive authentication data are not allowed to be collected by any support organization, including Point or the reseller. o Restrict access to any cardholder data handled or stored according to PCI DSS requirements and delete such data when not needed anymore. 5
3.3 Log of payment application activity PCI DSS compliant logging is always active and will always send the logs to Verifone s servers. In addition the payment terminal can be configured to send syslog messages to a syslog server operated by the merchant. The messages can be put into a centralized system log where they can be monitored or reviewed by the merchant. The logging can t be turned off since this will result in non compliance with PCI DSS. For more details about PCI DSS and PCI PA-DSS, please see the following link: http://www.pcisecuritystandards.org/ 3.3.1 Syslog Merchants who have a central log server and want logs from their paypoint terminals sent to their server can configure their terminals to send syslog messages by following the procedures in this chapter. How to configure the terminal to also send syslog messages to the merchant s server. Activate Send system log: Menu + Administration + Change settings + Communication + System log + Yes Configure the IP address for the syslog server: Menu + Administration + Change settings + Communication + TCP/IP innst + 13 TCP / IP log Configure the port the syslog server: Menu + Administration + Change settings + Communication + TCP/IP innst + TCP / IP port log Syslog logs all changes and connections from the terminal, and sends it to the server at the first opportunity. For more details about syslog and a description of the message format, see Syslog from paypoint - User Documentation. This document can be obtained by contacting Verifone. 6
Configuring communication If the paypoint terminal is behind a firewall, these TCP/IP-addresses and ports need to be available through the firewall. VeriFone Vx810/Vx820/Vx670/Vx680/Vx690 uses port 10760 as TCP/IP prog port. Sales Connector Terminals that use setup 1: Vx670 / Vx680 / Vx690 / Xenta / Xentissimo Terminals that use setup 2: Yomani / Yomani XR / Xenteo ECO / Xenoa ECO WLAN WLAN encryption keys and other WLAN settings can be changed in the WLAN menu: Menu + 5 Administation + 5 Change settings + 2 Installastion + 6 WLAN config WLAN config -Select Base 1-9 (1) SSID (2) WLAN-key (3) Encryption (4) Priorty (5) Delete base paypoint VPN NETS NEI JA TCP/IP prim 193.214.020.211 195.088.107.035 TCP/IP prim port 9100 9300 TCP/IP back 193.214.020.211 195.088.107.036 TCP/IP back port 9100 9300 Sales Connector Setup 1 Setup 2 TCP/IP prim 91.207.36.107 88.80.164.126 TCP/IP prim port 443 443 TCP/IP back 88.80.164.107 91.207.36.128 TCP/IP back port 443 443 TCP/IP prog 062.092.014.217 TCP/IP prog port 5214 / 10760 TCP/IP adm 195.088.107.033 TCP/IP adm port 2610 TCP/IP ecr xxx.xxx.xxx.xxx TCP/IP ecr port 9550 7
Support Support can be directed to your reseller, or directly to Verifone support on tlf. 81502200 or support@verifone.no. Check also the Support page on our homepage: www.verifone.no Verifone Norway AS Postal address: Postboks 73 0508 Oslo Street address: Østre Aker vei 24 N-0581 OSLO Latest version of this document can be found at : http://www.verifone.no/betalingsterminaler/ Versjon 3.9 27.03.15 8